Thanks for the report, the issue and the fix confirmed. Please next time don't push a public PR but use a secret gist.
At this point, my question were yet - were it feasible to limit the length of the actual command line and/or argument to something appropriate. Fe using xargs --show-limits on Linux will give back a way smaller number than 1024M. On Windows it is indeed something measured in kilobytes.
Thanks.

[2016-01-05 07:03 UTC] emmanuel dot law at gmail dot com

My bad.
Yeah I dont see why we cant harden it further by limiting the length of the command line and argument. It should however fail safe. EG if the length of string is beyond a certain limit, it should throw a fatal error rather than return a warning or an empty string.
For example, if it doesn't fail safe, the toy code below has the potential to delete all files on the webroot rather than only a user directory:
if(!ctype_alnum($_REQUEST[UID]))exit();
$path=escapeshellarg("/web/root/users/$_REQUEST[UID])/");
exec("cd $path ; rm *.*");

Yeah, that's a good example. It definitely should fail hard. In another bug #71039, I was poking about returning false for another case but it definitely seems a wrong way now.
However why the question about limiting length came into my mind is because now with your patch it will go through, but with a big string it will still be going too slow. Thus it still might be a matter of causing DOS. Fe on my relatively modern laptop it runs a couple of minutes to process the escapeshellarg() call.
Thanks.

[2016-01-05 12:06 UTC] emmanuel dot law at gmail dot com

Checking the string length is a good additional control. However even if we don't, IMO I don't think that DOS is a big concern because of the default max_execution time (default 30 seconds)
EG the command below shows max_execution_time kicking in:
> time USE_ZEND_ALLOC=0 sapi/cli/php_patched_escapecmd_escapecmdarg -r 'set_time_limit(30); ini_set('memory_limit', -1); $A=str_repeat("A",1024*1024*1024);$A=escapeshellarg($A);'
Fatal error: Maximum execution time of 30 seconds exceeded in Command line code on line 1
real 0m30.940s
user 0m29.344s
sys 0m0.672s
It'll be hard to DOS the server if you need to post a 1024MB string to consume the PHP process for 30 seconds.

But that's not the extent. It also depends on the server configuration, of course. But in general, issue enough requests, even with less data that will keep the server busy, and here it is. At least that's what i had in mind.
Thanks.